When a transaction is performed between the terminal of a user and a server, it is generally desirable for the server to authenticate the user. Common techniques for authenticating a user are the use of a login and a password, a cryptographic signature calculated by a secure element such as a SIM card, etc.
Furthermore, considering the possibility that a malicious computer program commonly known as a malware may run on the user's terminal, it is also desirable for the server to verify that the transaction is performed under control of the user.
A common technique for verifying that a transaction is performed under the control of a user (a human being) is a challenge-response test known as CAPTCHA. Typically, the server sends an image to the terminal which comprises alphanumeric characters that are difficult to recognize for an OCR program, but visible to a human. The terminal displays the image and the user enters the alphanumeric characters. The server checks that the entered characters correspond to the image.
However, an attack is still possible and indeed, some character recognition software have been developed to recognise the information in a CAPTCHA image.
Thus, it is desirable to improve the techniques for verifying that a transaction is performed under the control of a user.